Method and apparatus for facilitating efficient authenticated encryption

ABSTRACT

A shared-key encryption scheme that uses identically keyed block-cipher calls, low additional overhead, supports the encryption of arbitrary-length strings, produces a minimal-length-ciphertext, and is fully parallelizable. In one embodiment, “OCB”, a key shared between communicating parties is mapped to a key variant using the block cipher. The key variant is mapped into a sequence of basis offsets using shifts and conditional xors. To encrypt a message using a nonce, a nonce-dependent base offset is formed, and then a sequence of offsets is constructed by starting with the base offset and then xoring, for each offset, an appropriate basis offset. The message is partitioned into message blocks of the same length as the block length of the block cipher, along with a message fragment that may be shorter. Each message block is combined with a corresponding offset, enciphered, and then combined again with the offset, yielding a ciphertext block. The message fragment is xored with an appropriately computed pad to give a ciphertext fragment. A checksum is formed using the message blocks, the message fragment, and the pad. The checksum is combined with an offset and enciphered to yield a tag. The encrypted message includes the ciphertext blocks, the ciphertext fragment, and the tag.

RELATED APPLICATION

[0001] This application hereby claims priority under 35 U.S.C. section119 to U.S. Provisional Patent Application No. 60/240,471, filed Oct.12, 2000, and U.S. Provisional Application Ser. No. 60/267,640, filedFeb. 9, 2001. The above-referenced Provisional Patent applications arehereby incorporated by reference.

BACKGROUND

[0002] 1. Field of the Invention

[0003] The present invention relates generally to cryptographictechniques for the construction of symmetric (shared-key) encryptionschemes, and more particularly, to ways to use a block cipher in orderto construct a highly efficient encryption scheme that simultaneouslyprovides both message privacy and message authenticity.

[0004] 2. Related Art

[0005] When two parties, a Sender and a Receiver, communicate, theparties often need to protect both the privacy and the authenticity ofthe transmitted data. Protecting the privacy of the data ensures thatunauthorized parties will not understand the content of transmissions.Protecting the authenticity of the data provides assurance to theReceiver that the actual Sender of a message coincides with the claimedSender of the message (and it thereby provides assurance to the Receiverthat the message was not accidentally or intentionally modified intransit). Both goals are often accomplished using symmetric (“sharedkey”) techniques, wherein the Sender and the Receiver make use of ashared key K. We call “authenticated encryption” the goal ofsimultaneously achieving both privacy and authenticity using shared-keytechniques. In an authenticated-encryption method, the Sender canencrypt a message using a key and a nonce (also called an InitializationVector, or IV) to yield a ciphertext. The Receiver can decrypt aciphertext using a key and a nonce to yield either a message or aspecial symbol, invalid, that indicates to the Receiver that theciphertext should be regarded as inauthentic.

[0006] The most common approach for authenticated encryption uses twodifferent tools: for privacy, a privacy-only encryption scheme, and forauthenticity, a message authentication code (MAC). Privacy-onlyencryption schemes compute a ciphertext from a plaintext, a key, and anonce. Message authentication codes compute an authentication tag (whichis a fixed-length string) from a message and a key. To AIC a messagemeans to computes its authentication tag using a message authenticationcode.

[0007] Many constructions for privacy-only encryption schemes and manyconstructions for message authentication codes are known in the art.Some are described, for example, in the book of Menezes, van Oorschotand Vanstone, Handbook of Applied Cryptography, published by CRC Press,1997. Both privacy-only encryption schemes and message authenticationcodes are commonly based on the use of a block cipher.

[0008] By way of further background, a block cipher is a function E thattakes a key K and a message block X, the key being a binary string fromsome set of allowed keys and the message block being a binary string ofsome fixed length n. The block cipher returns a ciphertext blockY=E_(K)(X), which is also a binary string of length n. The number n iscalled the block length of the block cipher. It is required that foreach key K, the function E_(K) is one-to-one and onto (in other words,it is a bijection on the space of n-bit strings). Since E_(K) isone-to-one and onto, it has a well-defined inverse, denoted E_(K) ⁻¹.Well known block ciphers include the algorithm of the Data EncryptionStandard (DES), which has a block length of n=64 bits, and the algorithmof the Advanced Encryption Standard (AES), which has a block length ofn=128 bits. We shall speak of “applying a block cipher” or “enciphering”to refer to the process of taking an n-bit string X and computing fromit a string Y=E_(K)(X) for some understood key K and block cipher E.Similarly, we shall speak of “deciphering” to refer to the process oftaking an n-bit string Y and computing from it a string X=E_(K) ⁻¹(Y).

[0009] The most common approach for privacy-only encryption using ann-bit block cipher E is CBC encryption (cipher block chainingencryption). In the “basic” form of CBC encryption, the message M thatwe wish to encrypt must be a binary string of length that is a positivemultiple of the block length n. The message M is partitioned into n-bitblocks M[1], M[2], . . . , M[m] by taking M[1] as the first n bits of M,taking M[2] as the next n bits of M, and so forth. An n-bit nonce, IV,is selected. Then one encrypts M using the key K and the nonce IV bycomputing, for each i∈[1 . . . m], the ciphertext block

C[i]=E _(K)(C[i−1]⊕M[i])

[0010] where C[0]=IV. The complete ciphertext is IV together with theciphertext C=C[1]. . . C[m].

[0011] Nonces are used quite generally for shared-key encryption. Anonce is a value used at most once (or almost certainly used at mostonce) within a given context. Most often, nonces are realized using acounter or random value. For CBC encryption, a random value should beused; for CBC encryption, there are problems with using a counter IV.

[0012] The most common approach for making a message authentication codeusing an n-bit block cipher E is the CBC AMC (cipher block chainingmessage authentication code). In the “basic” form of the CBC MAC, themessage M to be authenticated must be a binary string having a lengththat is a positive multiple of n. The message M is partitioned inton-bit blocks M[1], M[2], . . . , M[m] by taking M[1] as the first n bitsof M, taking M[2] as the next n bits of M, and so forth. One thencomputes the authentication tag of M, using key K, by way of the samealgorithm used for CBC encryption, but where the IV=0, the block of nzero bits, and where the authentication tag is the final ciphertextblock, Tag=C[m]. Only Tag, or a prefix of Tag, is output as theauthentication tag. A Receiver who obtains an authenticated messageM∥Tag checks the validity of M by re-computing the CBC MAC of M underkey K, obtaining a string Tag′, and verifying that Tag′ is identical toTag.

[0013] To combine CBC encryption and the CBC MAC, in order to obtainboth privacy and authenticity, use the generic composition method. Oneuses two keys: an encryption key Ke and a message-authentication key Ka.In one method for generic composition, the message M is CBC encryptedusing key Ka and nonce IV to yield an intermediate ciphertextC_(int)=IV∥C[1] . . . C[m]. Then the intermediate ciphertext C_(int) isMACed using the CBC MAC under key Ka to yield an authentication tag Tag.The ciphertext for the authenticated-encryption scheme is C=C[1] . . .C[m]∥Tag. The Receiver, on receipt of IV and C[1] . . . C[m]∥Tag, checksthat Tag is the CBC MAC of C_(int)=IV∥C[1] . . . C[m] under key Ka. Ifthe received Tag is what the Receiver computes it should be, theReceiver decrypts C[1] . . . C[m] using key Ke and nonce IV to obtainthe plaintext M. If the received Tag is different from what the Receivercomputes it should be, the Receiver rejects the received ciphertextC=C[1] . . . C[m]∥Tag, regarding it as invalid.

[0014] The same generic-composition approach can be used to combine anyprivacy-only encryption scheme with any message authentication code.

[0015] There are a number of limitations to the generic compositionapproach. The main limitation is that two sequential computing passesare made over the data, one to privacy-only encrypt and one to MAC,making the process twice as slow as privacy-only encryption (assumingthat privacy-only encryption and MAC computation take about the sameamount of time, as they would for CBC encryption and the CBC MAC).Privacy-only encryption can be computationally expensive, and adding ina major additional expense to ensure message authenticity is consideredundesirable in many settings.

[0016] Because of the limitation just described, individuals have triedfor many years to merge privacy and authenticity into a single, unifiedprocess that would be nearly as fast as conventional ways to doprivacy-only encryption. Until quite recently, all such attempts failed.For a history of some of the failed attempts, see the survey article ofBart Preneel entitled Cryptographic Primitives for InformationAuthentication—State of the Art, appearing in State of the Art ofApplied Cryptography, COSIAC '97, Lecture Notes in Computer Science,vol. 1528, Springer-Verlag, pp. 49-104, 1998. As an example of aparticularly recent attempt, Gligor and Donescu describe an incorrectauthenticated-encryption mode in their paper Integrity Aware PCBCEncryption, appearing in Security Protocols, ₇ ^(th) InternationalWorkshop, Cambridge, UK, Apr. 19-21, 1999, Lecture Notes in ComputerScience, vol. 1796, Springer-Verlag, pp. 153-171, 2000.

[0017] The first publicly disclosed authenticated-encryption scheme thatachieves nearly the speed of a conventional, privacy-only encryptionscheme, was developed by Charanjit Jutla, of IBM. Jutla describes twoauthenticated-encryption methods in his paper Encryption Modes withAlmost Free Message Integrity, which first appeared in the CryptologyePrint Archive on Aug. 1, 2000. (Later versions of this papersubsequently appeared in Advances in Cryptology—Eurocrypt 2001, LectureNotes in Computer Science, vol. 2045, Springer-Verlag, May 2001, and asa submission to NIST (the National Institute of Standards andTechnology), posted on NIST's website on Apr. 17, 2001.) One of Jutla'sschemes is similar to CBC encryption and is called IACBC. The other oneof Jutla's scheme is parallelizable mode that Jutla calls IAPM. Jutla'sIACBC scheme is illustrated in FIG. 6, while his IAPM scheme isillustrated in FIG. 7.

[0018] Both IACBC and IAPM are authenticated-encryption schemes based onan n-bit block cipher, E. The modes require that the message M which isto be encrypted has a length which is a positive multiple of the blocklength n: say M=M[1] . . . M[m], where each M[i] is n bits long. Theschemes employ two block-cipher keys, K1 and K2, which together comprisethe encryption key K=(K1, K2). Conceptually, there are two processesinvolved: a “make-offset process” and a “main process”. The make-offsetprocess is the same for IACBC and IAPM, while the main process in thetwo schemes differ.

[0019] Refering to the left hand side of FIGS. 6 and 7, the make-offsetprocess in IACBC and IAPM uses the key K2 to map a random nonce, R, intoa sequence of “pairwise independent” offsets, Z=Z[0], . . . , Z[m],Z[m+1]. Notice that one needs two more offsets than the message M islong (measured in blocks). Each offset is n bits. Jutla describes twodifferent methods to realize the make-offset process. We shall describethese methods shortly; for now we view the production of offsets as ablack-box process and we continue the explanation of the main-process ofIACBC and IAPM.

[0020] The main process of IACBC is shown in the right-hand side of FIG.6. Having used the key K2 and the nonce R to derive offsets Z[0], . . ., Z[m+1], encipher nonce R, now under key K1, to determine an initialchaining value, Y[0]=C[0]=E_(K1)(R). Then CBC encrypt M=M[1] . . . M[m]:for I∈[1 . . . m], let Y[i]=E_(K1)(Y[i−1]δ+M[i]). Next, mask each ofthese block-cipher outputs to determine a ciphertext block: for I∈[1 . .. m], let C[i]=Y[i]δ+Z[i]. Call the string C=C[1] . . . C[m] is the“ciphertext core”. Next one computes a “checksum”, Checksum, by xoringthe message blocks: Checksum M[1]δ . . . δM[m]. Next one forms an“authentication tag” by setting Tag=E_(K1)(ChecksumδY[m])δZ[0]. Thecomplete ciphertext specifies C[0], ciphertext core C=C[1] . . . C[m],and authentication tag Tag.

[0021] Decryption proceeds by the natural algorithm, as will beunderstood by those skilled in the art to which the present inventionpertains, rejecting the ciphertext if the supplied authentication tagdoes not have the anticipated value.

[0022] We now describe the main process of IAPM, as show in theright-hand side of FIG. 7. Having used the key K2 and the nonce R toderive offsets Z[0], Z[m+1], encipher R, now using key K1, to determinean enciphered R-value, C[0]=E_(K1)(R). Now, for each I∈[1 . . . m],message block M[i] is xored with offset Z[i], the result is encipheredusing E (keyed by K1), and the resulting block is xored once again withoffset Z[i], yielding a ciphertext block C[i]: that is, for each i∈[1 .. . m], let C[i]=Z[i]δE_(K1)(M[i]δZ[i]). Call C=C[1] . . . C[m] theciphertext core. Next, compute a checksum, Checksum, by xoring togetherthe message blocks: Checksum=M[1]δ . . . δM[m]. Next, form anauthentication tag, Tag, by xoring the checksum with offset M[m+1],enciphering the result with E_(K1), and xoring the resulting block withoffset Z[0]: Tag=Z[0]δE_(K1)(ChecksumδZ[m+1]). The complete ciphertextspecifies C[0], ciphertext core C=C[1] . . . C[m], and authenticationtag Tag.

[0023] Decryption proceeds by the natural algorithm, rejecting aciphertext if its supplied authentication tag does not have theanticipated value. Namely, set R=E_(K1) ⁻¹(C[0]) and use R and K2 tocompute the offset sequence Z[0], . . . ,Z[m+1]. Then compute theprospective plaintext M′=M[1] . . . M[m] by setting M[i]=Z[i]δ+E_(K1)⁻¹(C[i]δZ[i]). Next, re-compute the tag Tag′ that one would expect forthe prospective plaintext M′: Checksum=M[1]δ . . . δM[m] andTag′=Z[0]δE_(K1)(ChecksumδZ[m+1]). If the expected tag, Tag′, matchesthe tag Tag appearing within the ciphertext, then the plaintext M isdefined as the prospective plaintext M′. Otherwise, the receivedciphertext is invalid.

[0024] It should be noted that IACBC is not parallelizable: one can notcompute Y[i] until Y[i−1] has already been computed, making that methodinherently sequential. But IAPM is fully parallelizable: all of theblock-cipher calls needed to compute the ciphertext core can be computedat the same time.

[0025] We comment that the nonce R used in IACBC must be random. Use ofa counter, or another adversarially predictable value, will result in anincorrect scheme.

[0026] It is important to optimize the speed of the make-offset processbecause, if it is slow, then the entire encryption process will be slow.Jutla's “method 1” for making offsets is depicted in FIG. 8. It works asfollows. Let t be the number of bits needed to write m+2 in binary; thatis,

t=1+└log ₂(m+2)┘.

[0027] Now for each i∈[1 . . . t], let

IV[i]=E _(K2)(R+i)

[0028] where the indicated addition operation means computer addition ofn-bit strings (that is, regard i as an n-bit string and add it to then-bit string R, ignoring any carry that might be generated). The value Rshould be a random value (a counter, for example, will not workcorrectly). Offsets are now formed by xoring together differentcombinations of IV[i]-values. Jutla suggests the following to computeeach Z[i] value, for i∈[0 . . . m+1]. Number bit positions left-to-rightby 1, . . . ,t and let i₁, . . . , i_(t)∈[1 . . . t] denote all of thebit positions where i+1, when written as a t-bit binary number, has a1-bit. Then set

Z[i]=IV[i _(i) ]δ . . . δIV[i _(s])

[0029] As an example, if m=3 then t=3 (since 5 is 101 in binary, whichtakes 3 bits to write down), Z[0]=IV[3] (since 1 is 001 in binary),Z[1]=IV[2] (since 2 is 010 in binary), Z[2]=IV[2]δIV[3] (since 3 is 011in binary), Z[3]=IV[1] (since 4 is 100 in binary), and Z[4]=IV[1]δIV[3](since 5 is 101 in binary).

[0030] We now describe Jutla's “method 2” for making offsets. Choose alarge prime number p just less than 2^(n) (e.g., choose the largestprime less than 2^(n)) and then, for i∈[0 . . . m+1], set

Z[i]=(IV[1]+i·IV[2])mod p

[0031] where IV[1]=E_(K2)(R+1) and IV[2]=E_(K2)(R+2) are defined asbefore. Again, nonce R should be a random value. The multiplicationoperator “·” refers to ordinary multiplication in the integers. Noticethat for i≦1, the value of Z[i] can be computed from Z[i−1] by additionof IV[2], modulo p. This second method of Jutla's requires fewerblock-cipher calls than the first method of Jutla's (block-cipher callsare used to make the IV[i] values, and now only two such values areneeded, regardless of the length of the message). On the other hand, themod p addition is likely more expensive than xor.

[0032] The property that Jutla demands of the sequence of offsets hecalls pairwise independence, but Jutla does not use this term inaccordance with its customary meaning in probability theory. Jutlaappears to mean the property usually called strongly universal-2. Afamily of random variables Z[0], Z[1], Z[2], . . . , each with range D,is said to be strongly universal-2 if, for all i≠j, the random variable(Z[i], Z[j]) is uniformly distributed D×D.

[0033] Just subsequent to the appearance of Jutla's paper, two otherauthors, Virgil Gligor and Pompiliu Donescu, described anotherauthenticated-encryption scheme. Their paper, dated Aug. 18, 2000 andentitled, http://www.eng.umd.edu/˜gligorFast Encryption andAuthentication. XCBC encryption and XECB Authentication Modes, firstappeared on Gligor's worldwide web homepage. The Gligor-Donescuauthenticated-encryption scheme, which the authors call XCBC, resemblesJutla's IACBC. The scheme called XCBC$ is depicted in FIG. 9. The maindifference between IACBC and XCBC$ is that the latter uses offsets Z[1],Z[2], . . . Z[m+1], which are now defined by: Z[0]=0 and, for i∈[1 . . .m+1], Z[i+1]=Z[i−1]+R. The indicated addition means addition of binarystrings, modulo 2^(n). Besides this “method 3” to create offsets, oneshould note that the value of Z[i] is now added (modulo 2^(n)) to theblock-cipher output, rather than being xored with the block-cipheroutput. Other differences between the Jutla and Gligor-Donescu schemeswill be apparent to those skilled in the relevant art when comparingFIGS. 5 and 8.

[0034] As with Jutla's schemes, the nonce R in XCBC$ should be a randomvalue; use of a counter, or another adversarially-predictable quantity,will not work correctly. The authors give a closely related scheme,XCBC, which employs a counter instead of a random value. That scheme isillustrated in FIG. 10. The complete ciphertext specifies the nonce,“ctr”, as well as C[1] . . . C[m]∥Tag.

[0035] It should be noted that XCBC and XCBC$, like IACBC, aresequential. Gligor's paper, as it originally appeared, did not suggest aparallelizable approach for authenticated encryption.

[0036] All of the available authenticated-encryption schemes we havedescribed thus far share the following limitation: they assume that allmessages to be encrypted have a length that is a positive multiple ofthe block length n. This restriction can be removed by first padding themessage, using padding techniques well-known in the art. For example,one can append to every message M a “1” bit and then append the minimumnumber of 0-bits so that the padded message has a length which is amultiple of n. We call this “obligatory padding”. Decryption removes theobligatory padding to recover the original message. However, removingthe length restriction in an authenticated-encryption scheme byobligatory padding is undesirable because it increases the length of theciphertext (by an amount between 1 and n-1 bits). Furthermore, themethod results in an extra block-cipher invocation when the message M isof a length already a positive multiple of n.

[0037] Another approach known in the art to deal with messages whoselength is not a positive multiple of n is “ciphertext stealing CBCencryption”, which is like ordinary CBC encryption except that the finalmessage block M[m] may have fewer than n bits and the final ciphertextblock C[m] is defined not by C[m]=E_(K)(M[m]δC[m−1]) but byC[m]=E_(K)(C[m−1])δM[m]. One could hope to somehow use ciphertextstealing in an authenticated-encryption scheme, but it is not known howto do this in a way that does not destroy the authenticity propertyrequired of an authenticated-encryption scheme. In particular, naturalattempts to try to modify IAPM in a manner that employs ciphertextstealing result in flawed schemes. A possible approach is to adapt ideasfrom the paper of Black and Rogaway, CBC MACs for Arbitrary-LengthMessages: The Three Key Constructions, appearing in Advances inCryptology—CRYPTO '00, Lecture Notes in Computer Science,Springer-Verlag, 2000. This paper teaches the use of obligatory paddingfor messages of length zero or a non-multiple of n, combined with nopadding for messages of length of positive multiple of n, combined withxoring into the last block one of two different keys, as a way todifferentiate these two different cases. However, such a method istailored to the construction of message authentication codes,particularly message authentication codes based on the CBC MAC. It isunknown if such methods can be correctly adapted to anauthenticated-encryption scheme like IAPM.

[0038] An additional limitation of the authenticated-encryptiontechniques we have discussed is the use of multiple keys. Whilewell-known key-separation techniques can create as many “key variants”as one needs from a single underlying key, depending on such methodsresults in additional time for key-setup and additional space for keystorage. It is unknown how one could devise a correct algorithm thatwould use only a single block-cipher key and use this one key to key allblock-cipher invocations.

[0039] Method 1 for computing offsets is complex and slow, needing anunbounded number of block-cipher calls. The values IV[1], . . . , IV[t]can be computed during a pre-processing stage, but this pre-processingwill be slow. Method 2 for computing offsets requires modulo p addition,which is not particularly fast because typical implementations useblocks having n=128 bits. Method 3 for computing offsets likewiserequires addition (now modulo 2^(n)) of quantities typically havingn=128 bits, which may again be inconvenient because computers do notgenerally support such an operation, and high-level programminglanguages do not give access to the add-with-carry instruction that besthelps to implement it. Most of the methods we have described require theuse of a random nonce R, and the schemes will not work correctly shouldR be predictable by an adversary.

SUMMARY

[0040] Variations of the present invention provide methods forconstructing more efficient authenticated-encryption schemes. The newmethods give rise to parallelizable authenticated-encryption schemesthat combine any or all of the following features: (1) Messages ofarbitrary bit length (not necessarily a multiple of the block length n)can be encrypted. (2) The resulting ciphertext will be as short aspossible (in particular, the ciphertext core will have the same lengthas the message that is being encrypted, even when the message length isnot a multiple of the block length). (3) Offsets can be computed byextremely fast and simple means, and without the use of modularaddition. (4) Pre-processing costs are very low (e.g., one block-ciphercall and some shifts and xors). (5) The encryption key is a singleblock-cipher key, and all block-cipher calls make use of only this onekey. (6) The needed nonce may be adversarially predictable (a counter isfine). (7) Only as many offsets are needed as the message is long (inblocks). (8) A total of m+2, (or even m+1) block-cipher calls areadequate to encrypt a message of m blocks.

[0041] To achieve these and other goals, new techniques have beendeveloped. A first set of techniques concern the “structure” of anauthenticated-encryption scheme, and describe improved methods for howthe message M is partitioned into pieces and how these pieces are thenprocessed. A second set of techniques concern improved ways to generatethe needed offsets. A third set of techniques deal with methods to avoidthe use of multiple block-cipher keys. A fourth set of techniquesfacilitate authenticated-encryption schemes which efficiently processassociated-data, where associated-data refers to information whichshould be authenticated by the Receiver but which is not a part of themessage that is being encrypted. The different types of improvements arelargely orthogonal.

[0042] More specifically, one embodiment of the present inventionprovides an authenticated-encryption system that uses a key and a nonceto encrypt a message into a ciphertext. The system operates bypartitioning the message into a message body comprising a sequence ofn-bit message blocks, and a message fragment of at most n bits. Next,the system generates a sequence of offsets from the nonce and the key.The system then computes a ciphertext body using a block cipher, themessage body, the key, the nonce, and the sequence of offsets. Thesystem also computes a ciphertext fragment using the block cipher, themessage fragment, the key, and an offset. The system additionallycomputes a tag as a function of the message body, the message fragment,the sequence of offsets, and the key. The ciphertext is defined toinclude the ciphertext body, the ciphertext fragment, and the tag.

[0043] In one embodiment of the present invention, generating thesequence of offsets involves determining a first offset as a function ofthe nonce and the key. It also involves determining each subsequentoffset by combining a previous offset and a basis offset, wherein eachbasis offset is determined as a function of the key.

[0044] In one embodiment of the present invention, generating thesequence of offsets involves determining an offset by combining a baseoffset and a fixed offset, wherein the base offset is a function to thekey and the nonce, and the fixed offset is a function of the key and aposition of the fixed offset in a sequence of fixed offsets.

[0045] In one embodiment of the present invention, generating thesequence of offsets involves: generating a sequence of fixed offsetsfrom the key; generating a base offset from the key and the nonce;generating a sequence of translated offsets by combining each fixedoffset with the base offset to get a corresponding translated offset;and using the sequence of translated offsets as the sequence of offsets.In a variation on this embodiment, the key determines a sequence ofbasis offsets and each fixed offset is determined by xoring somecombination of basis offsets. In a further variation, each basis offsetexcept for the first basis offset is determined by a shift and aconditional xor applied to a previous basis offset. In yet a furthervariation, the order that basis offsets are combined into fixed offsetsis determined according to a Gray code.

[0046] In one embodiment of the present invention, generating thesequence of offsets involves: computing a sequence of basis offsets fromthe key; computing a base offset from the key and the nonce; andcomputing a sequence of translated offsets, wherein the first offset isdetermined from the base offset, the key, and the nonce, and subsequentoffsets are determined by combining the prior translated offset with abasis offset.

[0047] In one embodiment of the present invention, generating thesequence of offsets involves: computing a key-variant offset byenciphering a constant with the block cipher, wherein the block cipheris keyed by a given key; and computing the sequence of offsets using thekey-variant offset.

[0048] In one embodiment of the present invention, computing theciphertext body involves: combining each message block in the messagebody with a corresponding offset to produce a corresponding input block;applying the block cipher to each input block to produce a correspondingoutput block; and combining each output block with a correspondingoffset to produce a corresponding ciphertext block.

[0049] In one embodiment of the present invention, computing theciphertext fragment involves: computing a precursor pad as a function ofan offset; computing a pad by applying the block cipher to the precursorpad; and computing the ciphertext fragment by combining the messagefragment and the pad.

[0050] In one embodiment of the present invention, computing the taginvolves: computing a checksum as a function of the message and asequence of offsets; and computing the tag as a function of thechecksum, the key, and an offset.

[0051] In one embodiment of the present invention, computing the taginvolves computing a checksum from the message blocks, the messagefragment, and a pad; combining the checksum with an offset to produce aprecursor full tag; computing a full tag by applying the block cipher tothe precursor full tag; and computing a tag as a portion of the fulltag.

[0052] One embodiment of the present invention provides a system thatuses a key and a nonce to decrypt a ciphertext into a message. Thesystem operates by partitioning the ciphertext into a ciphertext bodyincluding a sequence of n-bit ciphertext blocks, a ciphertext fragmentof at most n bits, and a tag. Next, the system generates a sequence ofoffsets from the nonce and the key. The system then computes a messagebody using a block cipher, the ciphertext body, the key, the nonce, andthe sequence of offsets. The system also computes a message fragmentusing the block cipher, the ciphertext fragment, the key, and an offset.The system additionally computes a new tag as a function of the messagebody, and then compares the new tag with the tag. If the new tag matchesthe tag, the system returns the message, wherein the message includesthe message body and the message fragment. Otherwise, if the new tagdoes not match the tag, the system returns a message invalid signal.

BRIEF DESCRIPTION OF THE FIGURES

[0053]FIG. 1 describes encryption under “OCB”, where OCB is the name forone embodiment of many of the techniques taught in the presentinvention.

[0054]FIG. 2 is a high-level description of the make-offset process ofOCB in accordance with an embodiment of the present invention.

[0055]FIG. 3 is a low-level description of the make-offset process ofOCB in accordance with an embodiment of the present invention.

[0056]FIG. 4 describes decryption under OCB in accordance with anembodiment of the present invention.

[0057]FIG. 5 describes a variant of OCB in accordance with an embodimentof the present invention.

[0058]FIG. 6 depicts the IAPM scheme of Jutla.

[0059]FIG. 7 depicts the IACBC scheme of Jutla.

[0060]FIG. 8 depicts one of Jutla's methods for constructing offsets.

[0061]FIG. 9 depicts the XCBC$ scheme of Gligor and Donescu.

[0062]FIG. 10 depicts the XCBC scheme of Gligor and Donescu.

DETAILED DESCRIPTION

[0063] The following description is presented to enable any personskilled in the art to make and use the invention, and is provided in thecontext of a particular application and its requirements. Variousmodifications to the disclosed embodiments will be readily apparent tothose skilled in the art, and the general principles defined herein maybe applied to other embodiments and applications without departing fromthe spirit and scope of the present invention. Thus, the presentinvention is not intended to be limited to the embodiments shown, but isto be accorded the widest scope consistent with the principles andfeatures disclosed herein.

[0064] The data structures and code described in this detaileddescription are typically stored on a computer-readable storage medium,which may be any device or medium that can store code and/or data foruse by a computer system. This includes, but is not limited to, magneticand optical storage devices such as disk drives, magnetic tape, CDs(compact discs) and DVDs (digital versatile discs or digital videodiscs), and computer instruction signals embodied in a transmissionmedium (with or without a carrier wave upon which the signals aremodulated). For example, the transmission medium may include acommunications network, such as the Internet.

[0065] We now describe an embodiment of the present invention known asOCB (for offset codebook) mode. OCB is an authenticated-encryptionscheme that uses an n-bit block cipher E, a key K, and a nonce Nonce toencrypt an arbitrary message M. To specify OCB we begin by giving somenotation and reviewing some mathematical background.

[0066] Notation and Mathematical Background

[0067] If a and b are integers, a≦b, then [a.b] is the set of allintegers between and including a and b. If i≧1 is an integer then ntz(i)is the number of trailing 0-bits in the binary representation of i(equivalently, ntz(i) is the largest integer z such that 2^(z) dividesi). So, for example, ntz(7)=0 and ntz(8)=3.

[0068] A string is a finite sequence of symbols, each symbol being 0or 1. The string of length 0 is called the empty string and is denotedε. Let {0,1}* denote the set of all strings. If A, B∈{0,1}* then A B, orA∥B, is their concatenation. If A∈{0,1}* and A≠ε then firstbit(A) is thefirst bit of A and lastbit(A) is the last bit of A. Let i and n benonnegative integers. Then 0^(i) and 1^(i) denote strings of i 0's and1's, respectively. For n understood, 0 means 0^(n). Let {0,1}^(n) denotethe set of all strings of length n. If A∈{0,1}* then |A| is the lengthof A, in bits, while |A|_(n)=max(1, ┌|A|/n┐ is the length of A in n-bitblocks, where the empty string counts as one block. For A∈{0,1}* and|A|≦n, zpad_(n)(A) is A∥0_(n−|A|). With n understood we write A0* forzpad_(n)(A). If A∈{0,1}* and t∈[0 . . . |A] then A[first t bits] andA[last t bits] are the first t bits of A and the last t bits of A,respectively. Both of these values are the empty string if t=0. If A,B∈{0,1}* then A⊕+B is the bitwise xor of A[first s bits] and B[first sbits] where s=min{|A|,|B|}; for example, 1001δ110=010.

[0069] If A=a_(n−1) . . . a₁ a₀∈{0,1}^(n) is a string, each a_(i)∈{0,1},then str2num(A) is the number Σ_(0≦i≦n−1) 2^(i) a_(i) that this stringrepresents, in binary. If a∈[0 . . . 2^(n−1)] is a number, thennum2str_(n)(a) is the n-bit string A such that str2num(A)=a. Letlen_(n)(A)=num2str_(n)(|A|) be the string that encodes the length of Aas an n-bit string. We omit the subscript n when it is understood.

[0070] If A=a_(n−1) a_(n−2) . . . a₁ a₀∈{0,1}^(n) then A<<1=a_(n−2) . .. a₁ a₀ 0 is the n-bit string which is a left shift of A by 1 bit (thefirst bit of A disappearing and a zero coming into the last bit), whileA>>1=0 a_(n−1) a_(n−2) . . . a₁ is the n-bit string which is a rightshift of A by one bit (the last bit disappearing and a zero coming intothe first bit).

[0071] In pseudocode we write “Partition M into M[1] . . . M[m]” asshorthand for “Let m=|M|_(n) and let M[1], . . . ,M[m] be strings suchthat M[1] . . . M[m]=M and |M[i]|=n for 1≦i<m.” We write “Partition Cinto C[1] . . . C[m] T” as shorthand for “if |C|<t then return invalid.Otherwise, let C=C[first|C|−t bits], let T=C[last t bits], letm=|C|_(m), and let C[1] . . . C[m] be strings such that C[1] . . .C[m]=C and |C[i]|=n for 1≦i<m.” Recall that |M|_(n)=max {1, ┌|M|/n┐}, sothe empty string partitions into m=1 blocks, that one block being theempty string.

[0072] By way of mathematical background, recall that a finite field isa finite set together with an addition operation and a multiplicationoperation, each defined to take a pair of points in the field to anotherpoint in the field. The operations must obey certain basic axiomsdefined by the art. (For example, there must be a point 0 in the fieldsuch that a+0=0+a=a for every a; there must be a point 1 in the fieldsuch that a·1=1·a=a for every a; and for every a≠0 there must be a pointa⁻¹ in the field such that a·a⁻¹=a⁻¹·a=1.) For each number n there is aunique finite field (up to the naming of the points) that has 2^(n)elements. It is called the Galois field of size 2^(n), and it is denotedGF(2^(n)).

[0073] We interchangeably think of a point a∈GF(2^(n)) in any of thefollowing ways: (1) as an abstract point in a field; (2) as an n-bitstring a_(n−1) . . . a₁ a₀∈{0,1}^(n); (3) as a formal polynomiala(x)=a_(n−1)x^(n−1)+ . . . +a₁x+a₀ with binary coefficients; (4) as anonnegative integer between 0 and 2^(n−1), where the string a∈{0,1}^(n)corresponds to the number str2num(a). For example, one can regard thestring a=0¹²⁵101 as a 128-bit string, as the number 5, as the polynomialx²+1, or as a particular point in the finite field GF(2¹²⁸). We writea(x) instead of a if we wish to emphasize the view of a as a polynomialin the formal variable x.

[0074] To add two points in GF(2^(n)), take their bitwise xor. We denotethis operation by aδb.

[0075] Before we can say how to multiply two points we must fix someirreducible polynomial poly_(n)(x) having binary coefficients and degreen. For OCB, choose the lexicographically first polynomial among theirreducible degree-n polynomials having a minimum number ofcoefficients. For n=128, the indicated polynomial ispoly₁₂₈(x)=x¹²⁸+x⁷+x²+x+1.

[0076] To multiply points a, b∈GF(2^(n)), which we denote a·b, regard aand b as polynomials a(x) and b(x), form their product polynomial c(x)(where one adds and multiplies coefficients in GF(2)), and take theremainder one gets when dividing c(x) by the polynomial poly_(n)(x). Byconvention, the multiplication operator has higher precedence thanaddition operator and so, for example, γ₁·LδR means (γ₁·L)δR.

[0077] It is particularly easy to multiply a point a∈{0,1}^(n) by x. Weillustrate the method for n=128, where poly_(n)(x)=x¹²⁸+x⁷+x²+x+1. Thenmultiplying a=a_(n−1) . . . a₁ a₀ by x yields the polynomiala_(n−1)x^(n)+a_(n−2)x^(n-31 1)+a₁x²+a₀x. Thus, if the first bit of a is0, then a·x=a<<1. If the first bit of a is 1 then we must add x¹²⁸ toa<<1. Since x¹²⁸x¹²⁸+x⁷+x²x+1=0 we know that x¹²⁸=x⁷+x²+x+1, so addingx¹²⁸ means to xor by 0¹²⁰10000111. In summary, when n=128,${a \cdot x} = \begin{matrix}{a1} & {{{{if}\quad {{firstbit}(a)}} = 0},{and}} \\{\left( {a1} \right) \oplus {0^{120}10000111}} & {{{if}\quad {{firstbit}(a)}} = 1}\end{matrix}$

[0078] If a∈{0,1}^(n) then we can divide a by x, meaning that onemultiplies a by the multiplicative inverse of x in the field: a·x⁻¹. Itis easy to compute a·x⁻¹. To illustrate, again assume that n=128. Thenif the last bit of a is 0, then a·x⁻¹ is a>>1. If the last bit of a is1, then we must add (xor) to a>>1 the value x⁻¹. Since x¹²⁸=x⁷+x²+x+1 wehave x¹²⁷=x⁶+x+1+x⁻¹ and so x⁻¹=x¹²⁷+x⁶+x+1=10¹²⁰1000011. In summary,for n=128, ${a \cdot x^{- 1}} = \begin{matrix}{a1} & {{{{if}\quad {{lastbit}(a)}} = 0},{and}} \\{\left( {a1} \right) \oplus {10^{120}1000011}} & {{{if}\quad {{lastbit}(a)}} = 1}\end{matrix}$

[0079] If L∈{0,1}^(n) and i≧−1, we write L(i) for L·x^(i). There is aneasy way to compute L(−1),L(0),L(1), . . . ,L(u), for a small number u.Namely, set L(0)=L; compute L(i)=L(i−1)·x from L(i−1), for all i∈[1 . .. u], using a shift and a conditional xor (with the formula we havegiven); and compute L(−1) from L by a shift and a condititional xor(with the formula we have given).

[0080] Still by way of background, a Gray code is an ordering of thepoints of {0,1}_(s) (for some number s) such that successive pointsdiffer (in the Hamming sense) by just one bit. For n a fixed number,like n=128, OCB uses the canonical Gray code Gray(n)=(γ₀, γ₁, . . . ,γ_(2^) _(n−)1). Gray(n) is defined as follows: Gray(1)=(0, 1) andGray(s) is constructed from Gray(s-1) by first listing the strings ofGray(s-1) in order, each preceded by a 0-bit, and then listing thestrings of Gray(s-1) in reverse order, each preceded by a 1 bit. It iseasy to see that Gray(n) is a Gray code. What is more, γ_(i) can beobtained from γ_(i−1) by xoring γ_(i−1) with 0^(n−1)1<<ntz(i). Thismakes successive strings easy to compute.

[0081] As an example, Gray(128)=(0,1,3,2,6,7,5,4, . . . ). To see this,start with (0, 1). Then write it once forward and once backwards,(0,1,1,0). Then write (00, 01, 11, 10). Then write it once forward andonce backwards, (00,01,11,10, 10,11,01,00). Then write (000,001,011,010,110,111,101,100). At this point we already know the first 8 strings ofGray(128), which are (0,1,3,2,6,7,5,4), where these numbers areunderstood to represent 128-bit strings. So, for example, γ₅ is 7 and γ₆is 5, and γ₆=5 really is γ₅=7 xored with 2, where 2 is the string 1shifted left ntz(6)=1 positions.

[0082] Let L−{0, 1}^(n) and consider the problem of successively formingthe strings γ₁·L, γ₂·L, γ₃·L, . . . , γ_(m)·L. Of course γ₁·L=1·L=L.Now, for i≧2, assume one has already computed γ_(i−1)·L. Sinceγ₁=γ_(i−1)δ(0^(n−1)<<ntz(i)) we know that

γ_(i) ·L=(γ _(i−1)δ(0^(n−1) 1<<ntz(i))·L

=γ_(i−1) ·Lδ(0^(n−1) 1<21 ntz(i))·L

=γ_(i−1) ·Lδ(L·x ^(ntz(i)))

=γ_(i−1) ·LδL(ntz(i))

[0083] That is, the i-th string in the sequence is obtained by xoringthe previous string in the sequence with L(ntz(i)).

[0084] Had the sequence we were considering been additively offset bysome value R, that is, Rδγ_(i)·L, Rδγ₂·L, . . . , Rδγ_(m)·L, the i-thstring in the sequence would be formed in the same way, for i≦2, but thefirst string in the sequence would be LδR instead of L.

[0085] Definition of OCB

[0086] With the necessary notation and background now in place, we areready to describe OCB. OCB depends on two parameters: a block cipher E,having block length n, and a tag length t, where t is a number between 1and n. By trivial means, the adversary will be able to forge a validciphertext with probability 2^(−t).

[0087] A popular block cipher to use with OCB is likely to be the AESalgorithm (AES-128, AES-192, or AES-256). As for the tag length, asuggested default of t=64 is reasonable, but tags of any length arefine.

[0088] Encryption under OCB mode requires an n-bit nonce, Nonce. Thenonce would typically be a counter (maintained by the sender) or arandom value (selected by the sender). Security is maintained even ifthe adversary can control the nonce, subject to the constraint that nononce may be repeated within the current session (that is, during theperiod of use of the current encryption key). The nonce need not berandom, unpredictable, or secret.

[0089] The nonce Nonce is needed both to encrypt and to decrypt. Topermit maximum flexibility, it is not specified by OCB how the nonce iscommunicated to the Receiver, and we do not regard the nonce as part ofthe ciphertext. Most often the nonce would be communicated, in theclear, along with the ciphertext: for example, the nonce, in itentirety, might be prepended to the ciphertext. Alternatively, theSender may encode the nonce using some agreed upon number of bits lessthan n, and this encoded nonce would be sent to the Receiver along withthe ciphertext. TABLE 1 OCB-Encrypt_(K) (Nonce,M) Partition M into M[1]... M[m] // Define needed values L = E_(K)(0) // Key variant. Recall0=0^(n) R = E_(K) (Nonce ⊕ L) // Base offset R for i = 1 to m //Offsets: Z[1],...,Z[m] do Z[i] = γ_(i) · L ⊕ R Z[−m] = Z[m] ⊕ L · x⁻¹for i=1 to m−1 do // Process message blocks... C[i] = E_(K)(M[i] ⊕ Z[i])⊕ Z[i] PrePad = len(M[m]) ⊕ Z[−m] // Process final fragment... Pad =E_(K)(PrePad) C[m] = Pad ⊕ M[m] // Uses Pad bits 1..|M[m]| C = C[1] ...C[m] // Ciphertext core Checksum = M[1] ⊕ ... ⊕ M[m−1] ⊕ C[m] 0* ⊕ PadPreFullTag = Checksum ⊕ Z[m] FullTag = E_(K) (PreFullTag) Tag = FullTag[first t bits] return C || Tag // The final ciphertext, C

[0090] See FIG. 1 for an illustration of OCB encryption. FIG. 1 is bestunderstood in conjunction with the algorithm definition in Table 1,which explains all of the figure's various parts and gives additionalalgorithmic details. The key space for OCB is the key space for theunderlying block cipher E. OCB encryption is then defined in Table 1.

[0091] Referring to FIG. 1 and the algorithm definition above, one seesthat the message M has been partitioned into n-bit blocks M[1], . . . ,M[m−1], as well as a message fragment, M[m], which may have fewer than nbits. The message blocks and the final fragment are treated differently.

[0092] Each message block M[i] is xored with an offset (the Z[i] value),enciphered, and then xored again with the same offset. This gives aciphertext block C[i].

[0093] The message fragment M[m] is mapped into a ciphertext fragmentC[m] by xoring it with the string Pad. According to our conventions,only the first |M[m]| bits of Pad are used. In this way, C[m], will havethe same length as M[m]. The value Pad does not depend on M[m], apartfrom its length. In particular, Pad is formed by enciphering the stringPrePad which is the xor of the length of the final fragment M[m],encoded as a string, and the “special” offset Z[−m], which is the xor ofZ[m] and L·x⁻¹. Thus PrePad (and therefore Pad) depends on the bitlength of M.

[0094] At this point, the ciphertext core C=C[1] . . . C[m] has beencomputed. Its length is the length of M.

[0095] A checksum is now computed by xoring together: (a) the m-1message blocks; (b) the zero-padded ciphertext fragment, C[m]0*; and (c)the value Pad. (This is equivalent to xoring together: (a) the messageblocks; (b′) the zero-padded message fragment, M[m]0*; (c′) the string Swhich is the first n-|M[m]| bits of Pad followed by |M[m]| zero-bits.)The checksum is offset using offset Z[m], giving the PreFullTag. Thatstring is enciphered to give the FullTag. The t-bit prefix of theFullTag is used as the actual tag, Tag.

[0096] The ciphertext C is the ciphertext core C=C[1]′. . . C[m]together with the tag Tag. The Nonce must be communicated along with theciphertext C to allow the Receiver to decrypt.

[0097]FIGS. 2 and 3 clarify the make-offset process that is used in OCBbut which is only partially depicted in FIG. 1. First, FIG. 2 depictshow the underlying key K is mapped, conceptually, into a sequence offixed offsets z[1], z[2], z[3], . . . . We call this sequence of offsets“fixed” because it does not depend on the nonce Nonce (it only dependson the key K). The sequence of fixed offsets is mapped into a sequenceof translated offsets, or simply offsets, by xoring each fixed offsetwith a base offset, R: that is, Z[i]=z[i]δR. The base offset R isdetermined from the nonce Nonce and from the underlying key K.

[0098]FIG. 3 shows the inventive process in more detail. The sequence offixed offsets that we choose is z[1]γ₁·L, z[2]γ₂·L, z[3]=γ₃·L, and soon. Thus the sequence of translated offsets used by OCB is Z[1]=γ₁·LδR,Z[2]=γ₂·LδR, Z[3]=γ₃·LδR, and so on. These offsets can be calculated ina particularly simple manner. Namely, in a pre-processing step we map L,which is a key variant determined by enciphering under K the constantstring 0, into a sequence of basis offsets L(0), L(1), L(2), . . . .Basis offset L(i) is defined to be L·x¹. We have already explained howto easily compute these strings. Now we compute translated offsets asfollows. The first offset, Z[1], is defined as RδL(0). Offset Z[2] iscomputed from offset Z[1] by xoring Z[1] with L(1). One chooses L(1)because we are making offset number 2 and the number 2, written inbinary, ends in 1 zero-bit. Offset Z[3] is computed from offset Z[2] byxoring Z[2] with L(0). One chooses L(0) because we are making offset 3and 3, written in binary, ends in 0 zero-bits. Offset Z[4] is computedfrom offset Z[3] by xoring into Z[3] with L(2). One chooses L(2) becausewe are making offset 4 and 4, written in binary, ends in 2 zero-bits.One continues in this way, constructing each (translated) offset fromthe prior offset by xoring in the appropriate L(i) value.

[0099] Decryption in OCB works in the expected way. The algorithm isshown in FIG. 4 and is defined as follows. All parts of FIG. 4 can beunderstood by consulting the algorithm definition that appears in Table2. TABLE 2 OCB-Decrypt_(K) (Nonce, C) Partition C into C[1] ... C[m] T L= E_(K) (0) R = E_(K) (Nonce ⊕ L) for i = 1 to m do Z[i] = γ_(i) · L ⊕ RZ[−m] = Z[m] ⊕ L · x⁻¹ for i = 1 to m−1 do M[i] = E_(K) ⁻¹ (C[i] ⊕ Z[i])⊕ Z[i] PrePad = len(C[m]) ⊕ Z[−m] Pad = E_(K)(PrePad) M[m] = Pad ⊕ C[m]M = M[1] ... M[m] Checksum = M[1] ⊕ ... ⊕ M[m−1] ⊕ C[m] 0* ⊕ Pad Tag′ =E_(K) (Checksum ⊕ Z[m]) [first t bits] if Tag = Tag′ then return M elsereturn invalid

[0100] An Alternative Description

[0101] At this point, we have fully described the embodiment OCB. Still,the following alternative description may help to clarify what a typicalimplementation might choose to do.

[0102] Key Generation:

[0103] Choose a random key K from the key space for the block cipher.The key K is provided to both the entity that encrypts and the entitythat decrypts.

[0104] Key Setup:

[0105] With the key now distributed, the following can be pre-computed:

[0106] 1. Setup the block-cipher key. For the party that encrypts: doany key setup associated to enciphering using the block-cipher with keyK. For the party that decrypts: do any key setup associated toenciphering or deciphering using the block-cipher with key K.

[0107] 2. Pre-compute L. Let L=E_(K)(0).

[0108] 3. Pre-compute L(i)-values. Let m_(max) be at least as large asthe number of n-bit blocks in any message to be encrypted or decrypted.Let u=┌log₂m_(max)┐. Let L(0)=L and, for i∈[1 . . . u], computeL(i)=L(i−1)·x using a shift and a conditional xor, in the manner alreadydescribed. Compute L(−1)=L·x⁻¹ using a shift and a conditional xor, inthe manner already described. Save L(−1), L(0), . . . , L(u) in a table.

[0109] Encryption:

[0110] To encrypt message M∈{0,1}* using key K nonce Nonce ∈{0,1}^(n),obtaining ciphertext C, do the following:

[0111] 1. Partition M. Let m=┌|M|/n┐. If m=0 then replace m by 1. LetM[1], . . . , M[m] be strings such that M[1] . . . M[m]=M and |M[i]|=nfor all i∈[1 . . . m−1].

[0112] 2. Initialize variables. Let Offset=E_(K)(NonceδL). LetChecksum=0.

[0113] 3. Encipher all blocks but the last one. For i=1 to m−1, do thefollowing:

[0114] Let Checksum=ChecksumδM[i].

[0115] Let Offset=OffsetδL(ntz(i)).

[0116] Let C[i]=E_(K)(M[i]δOffset)δOffset.

[0117] 4. Mask the final fragment and finish constructing the checksum:

[0118] Let Offset=OffsetδL(ntz(m)).

[0119] Let Pad=E_(K)(len(M[m])δL(−1)δOffset).

[0120] Let C[m]=M[m]δ(the first |M[m]| bits of Pad).

[0121] Let Checksum=ChecksumδPadδC[m]0*.

[0122] 5. Form the tag. Let Tag be the first t bits ofE_(K)(ChecksumδOffset).

[0123] 6. Return the ciphertext. The ciphertext is defined as the stringC=C[1]. C[m−1]C[m]∥Tag. It is communicated along with the nonce Nonce tothe Receiver.

[0124] Decryption:

[0125] To decrypt a ciphertext C∈{0,1}* using key K and nonceNonceδ{0,1}^(n), obtaining a plaintext Mδ{0,1}* or else an indicationinvalid, do the following:

[0126] 1. Partition the ciphertext. If |C|<t then return invalid (theciphertext has been rejected). Otherwise, let C be the first |C|−t bitsof C and let Tag be the remaining t bits. Let m=┌|C|/n┐. If m=0 then letm=1. Let C[1], . . . ,C[m] be strings such that C[1] . . . C[m]=C and|C[1]|=n for i∈[1 . . . m−1].

[0127] 2. Initialize variables. Let Offset=E_(K)(NonceδL). LetChecksum=0.

[0128] 3. Recover all blocks but the last one. For i=1 to m−1, do thefollowing:

[0129] Let Offset=OffsetδL(ntz(i)).

[0130] Let M[i]=E_(K) ⁻¹(C[i]δOffset)δOffset.

[0131] Let Checksum=ChecksumδM[i].

[0132] 4. Recover the final fragment and finish making the checksum:

[0133] Let Offset=OffsetδL(ntz(m)).

[0134] Let Pad=E_(K)(len(C[m])δ|(−1)δOffset.

[0135] Let M[m]=C[m]δ(the first |C[m]| bits of Pad).

[0136] Let Checksum=ChecksumδPadδC[m]0*.

[0137] 5. Check the tag. Let Tag′ be the first t bits ofE_(K)(ChecksumδOffset). If Tag#Tag′ then return invalid (the ciphertexthas been rejected). Otherwise,

[0138] 6. Return the plaintext. The plaintext that is returned isdefined to be M=M[1] . . . M[m−1] M[m].

[0139] Variations

[0140] While many variants of OCB result in incorrect algorithms, thereare also many correct variants. One type of variant leaves the structureof OCB alone, but changes the way offsets are produced. When changingthe way that offsets are produced, one may also have to change thesemantics of the xor operation. We give a couple of examples.

[0141] For an “addition mod 2^(n) variant” of OCB, one might change theoffsets to Z[i]=(R+iL) mod 2^(n), for i≧1, and Z[−m]=complement(Z[m])(the bit-wise complement of Z[m]). According to this definition, eachoffset is computed from the prior one by n-bit addition of L.Alternatively, replace complement(Z[m])) by −Z[m] mod 2^(n), where isnearly the same thing (the two differ by a constant, 1, and thisdifference is irrelevant).

[0142] Assuming n is a multiple of the word size of a computer, additionmod 2^(n) is easily computed by a computer. We call addition mod 2_(n)“computer addition”. Computer addition might or might not generate acarry. To achieve addition modulo 2^(n) any carry that is generated issimply ignored.

[0143] Alternatively, for i≧1, one could define Z[i]=iR mod 2^(n), sothat each offset is obtained from the prior one by n-bit addition of Rinstead of L.

[0144] When defining offsets using computer addition, the xor operationsused to combine a message block and an offset, and the xor operationsused to combine a block-cipher output and an offset, should be replacedby mod 2^(n) addition. Leaving these operations as xors seems to damagethe schemes' security.

[0145] For a “mod p variant” of OCB, where p is a large prime number(for example, the smallest prime number less than 2^(n)), change theoffsets to Z[i]=(R+iL) mod p, for i≧1, and Z[−m]=complement(Z[m]).According to this definition, each offset is computed from the prior oneby n-bit addition of L. The complement(Z[m]) can be replaced by −Z[m]mod p, which is nearly the same thing (the two differ by a constant, 1,and this difference is irrelevant).

[0146] Alternatively, for i≧1, one could define Z[i]=iR mod p, so thateach offset is obtained from the prior one by n-bit addition of Rinstead of L.

[0147] When defining offsets using addition modulo p, the xor operationsused to combine a message block and an offset, and then used to combinea block-cipher output and an offset, could be replaced by mod paddition. However, this does not seem to be essential.

[0148] An efficiency improvement can be made to the mod p schemes foroffset production: define Z[i] not as (Z[i−1]=L) mod p, where animplementation would always have to check if the sum is p or larger, butby doing the (mod p)-reduction in a “lazy” manner, according to thecarry bit produced by computer addition. Namely, form Z[i] by computeraddition of n-bit numbers L and Z[i−1]. If the addition generates acarry bit, then add into the sum the number δ=2^(n)−p. This methodresults in Z[i] being equal to one of two possible values: (iL+R) mod p,or p+((iL+R) mod p). The latter is only a possibility in (rare) casethat the indicated sum is less than 2^(n). Thus the sequence of offsetsis not little changed, yet an implementation is more efficient since itonly has to make an adjustment to the computer-addition sum when a carryis generated. The carry will typically be computed “for free” in amodern processor. We call this method of offset production lazy mod paddition.

[0149] Lazy mod p addition also works as a modification to the Z[i]=iRmod p method; namely, define Z[1]=R and Z[i]=(Z[i−1]+R) mod 2^(n) if theindicated computer addition does not generate a carry, and defineZ[i]=(Z[i−1]+R+δ) mod 2^(n) if the first addition does generate a carry.

[0150] Other variants of OCB change minor details in the structure ofthe algorithm. For example, the value L·x⁻¹ used in forming the PrePadcan be replaced by the value L>>1. These two possibilities are nearlythe same thing: recall that L·x⁻¹ is actually equal to L>>1 if L ends ina 0 bit, and, if L ends in a 1 bit, L·x⁻¹ differs from L>>1 by a fixedconstant. Thus there is no practical difference between L·x⁻¹ and L>>1.This is exactly analogous to the use of −A mod p verses complement(A) inan addition mod p based scheme; or −A mod 2^(n) verses complement(A) inan addition mod 2^(n) based scheme.

[0151] More structural changes can be made to OCB while preserving itsbasic ideas. The intuition for the manner in which OCB processes thefinal fragment and then produces the tag is to ensure that thePreFullTag appreciably depends not only on the message blocks, but alsoon (a) the message fragment/ciphertext fragment, and (b) the length ofthe message. As an example alternative, one might change the Z[−m]offset to Z[m], and change the Z[m] offset to Z[−m].

[0152] It is even possible to allow PreFullTag to inadequately depend onthe message fragment/ciphertext fragment, as long as this dependency isrealized in the FullTag itself. An example of such an OCB variant isshown in FIG. 5. In that variant, Pad does not depend on the bit lengthof M[m], but only on the block length of M. The checksum is defineddifferently from before; it is now defined by Checksum=M[1]δ . . .δ(M[m−1]δpad(M[m]), where pad(A)=A if A is n bits long andpad(A)=A|10^(n−|A|−1) otherwise. With such a scheme, PreFullTag wouldseem to inadequately depend on the message; for example, 1^(n) and1^(n−1) give rise to identical checksums, as well as ciphertext coresthat differ by just one bit. So if the authentication tag were taken tobe FullTag*, the scheme would be insecure. To differentiate pairs ofstrings like 1^(n) and 1^(n−1), the scheme of FIG. 5 modifies the valueFullTag*=E_(K)(PreFullTag) by xoring it with one of two differentoffsets, 0 or Z[m+1]. The first offset is used if the message fragmentis n bits long (so no padding was appended to the message fragment whenforming the checksum), while the second offset is used when the messagefragment has fewer than n bits (so 10* padding was appended to it whenforming the checksum). Now strings such as 1^(n) and 1^(n−1) will giverise to the same FullTag* but different FullTag values.

[0153] Many other correct variants of OCB are possible, as a personskilled in the art will now be able to discern.

[0154] A variant in a different direction is to facilitate the efficientprocessing of associated-data. Associated-data refers to informationwhich the Receiver would like to ensure that he shares (in identicalform) with the Sender, but where this information is not a part of themessage that is being encrypted. Such information is usually non-secret,and it is usually held static during the course of a session (that is,all messages encrypted using a given key will usually share the sameassociated-data). The associated-data is a vector of strings AD, or itis a single string AD that encodes such a vector of strings.

[0155] An authenticated-encryption scheme that permits associated-datacan be regarded as an authenticated-encryption scheme in which there isan extra argument, AD, supplied to both the encryption function E andthe decryption function D. The Sender encrypts using E_(K)(Nonce, AD,M), while the Receiver decrypts using D_(K) (Nonce, AD, C). If theReceiver supplies an AD-value which is different from the one which theSender used, the ciphertext C, on decryption, will almost certainly beregarded as invalid.

[0156] A method to allow for associated-data that will be obvious tothose skilled in the art is to have the Sender encode AD along with themessage M, obtaining an augmented message M′, and then have the Senderencrypt M′, with authenticity, using an authenticated-encryption scheme.But this method is inefficient, insofar as the ciphertext C′ that oneobtains is longer than a ciphertext C would be for M. The increase inlength is by an amount proportional to the length of AD. Also, extraprocessing time is needed to encrypt and to decrypt (even when AD isheld constant across many messages).

[0157] The inventive methods permit more efficient processing ofassociated-data than what is described above. We illustrate the methodfor encryption under OCB_(K) (Nonce, AD, M). Let F be a function of thekey K and the associated-data AD. The inventive method begins bycomputing Δ=F_(K)(AD). In a first technique, ciphertext OCB_(K) (Nonce,AD, M) is then defined as OCB_(Δ) (Nonce, M). In an alternativetechnique, the ciphertext OCB_(K) (Nonce, AD, M) is defined as OCB_(K)(Nonce δ Δ, M). In yet another alternative, ciphertext OCB_(K) (Nonce,AD, M) is defined as (C, Tagδ Δ), where (C,T)=OCB_(K) (Nonce, M).Decryption proceeds according to the obvious associated algorithm, asthose skilled in the relevant art will infer. Other ways to modify theprocess of computing ciphertexts under OCB_(K) (Nonce, M) which make useof A will be apparent to those skilled in the relevant art.

[0158] The inventive method has the advantage that the ciphertext is notlengthened because of the presence of the associated-data, and theprocessing time is not significantly increased, assuming that Δ has beenpre-computed.

[0159] The description of the inventive method uses one key K for bothFK(•) and OCB_(K) (•, •). This is advantageous, but two separate keysmay of course be used instead.

[0160] There are many options for realizing the function F used above.For example, F may be the CBC MAC described earlier. Alternatively, Fmay be obtained from a cryptographic hash function, or from a universalhash function.

[0161] There are also many options for realizing the encoding of avector of strings AD into a string AD. For example, one can concatenatean encoding of each string in the vector of strings, where the encodingof each string in the vector of strings consists of a fixed-byteencoding of the string's length, followed by the string itself.

[0162] The associated-data techniques we have described are applicableto any authenticated-encryption scheme, without restriction. Thetechnique can be used in conjunction with the other inventive teachings,or the technique can be used independently. Its use in conjunction withother inventive teachings does not limit the scope of those teachings,and mechanisms which allow the presence of associated-data should beunderstood as covered by claims which do not explicitly refer to thepresence of associated-data.

[0163] Execution Vehicles

[0164] The encryption and the decryption process used by the presentinvention may reside, without restriction, in software, firmware, or inhardware. The execution vehicle might be a computer CPU, such as thosemanufactured by Intel Corporation and used within personal computers.Alternatively, the process may be performed within dedicated hardware,as would typically be found in a cell phone or a wireless LANcommunications card or the hardware associated to the Access Point in awireless LAN. The process might be embedded in the special-purposehardware of a high-performance encryption engine. The process may beperformed by a PDA (personal digital assistant), such as a Palm Pilot®.In general, any engine capable of performing a complex sequence ofinstructions and needing to provide a privacy and authenticity serviceis an appropriate execution vehicle for the invention.

[0165] The various processing routines that comprise the presentinvention may reside on the same host machine or on different hostmachines interconnected over a network (e.g., the Internet, an intranet,a wide area network (WAN), or local area network (LAN)). Thus, forexample, the encryption of a message may be performed on one machine,with the associated decryption performed on another machine, the twocommunicating over a wired or wireless LAN. In such a case, a machinerunning the present invention would have appropriate networking hardwareto establish a connection to another machine in a conventional manner.Though we speak of a Sender and a Receiver performing encryption anddecryption, respectively, in some settings (such as file encryption) theSender and Receiver are a single entity, at different points in time.

[0166] The foregoing descriptions of embodiments of the presentinvention have been presented for purposes of illustration anddescription only. They are not intended to be exhaustive or to limit thepresent invention to the forms disclosed. Accordingly, manymodifications and variations will be apparent to practitioners skilledin the art. Additionally, the above disclosure is not intended to limitthe present invention. The scope of the present invention is defined bythe appended claims.

What is claimed is:
 1. An authenticated-encryption method that uses akey, a nonce and an n-bit block cipher to encrypt a message into aciphertext, the method comprising: partitioning the message into amessage body comprising a sequence of n-bit message blocks, and amessage fragment of at most n bits; generating a sequence of offsetsfrom the nonce and the key; computing a ciphertext body using the blockcipher, the message body, the key, the nonce, and the sequence ofoffsets; computing a ciphertext fragment using the block cipher, themessage fragment, the key, and an offset; computing a tag as a functionof the message body, the message fragment, the sequence of offsets, andthe key; and defining the ciphertext to include the ciphertext body, theciphertext fragment, and the tag.
 2. The method of claim 1, whereingenerating the sequence of offsets involves: determining a first offsetas a function of the nonce and the key; and determining each subsequentoffset by combining a previous offset and a basis offset, wherein eachbasis offset is determined as a function of the key.
 3. The method ofclaim 1, wherein generating the sequence of offsets involves determiningan offset by combining a base offset and a fixed offset, wherein thebase offset is a function to the key and the nonce, and the fixed offsetis a function of the key and the position of the offset in a sequence ofoffsets.
 4. The method of claim 1, wherein generating the sequence ofoffsets involves: generating a sequence of fixed offsets from the key;generating a base offset from the key and the nonce; generating asequence of translated offsets by combining each fixed offset with thebase offset to get a corresponding translated offset; and using thesequence of translated offsets as the sequence of offsets.
 5. The methodof claim 4, wherein the key determines a sequence of basis offsets andeach fixed offset is determined by xoring some combination of basisoffsets.
 6. The method of claim 5, wherein each basis offset except forthe first basis offset is determined by a shift and a conditional xorapplied to a previous basis offset.
 7. The method of claim 5, whereinthe order that basis offsets are combined into fixed offsets isdetermined according to a Gray code.
 8. The method of claim 1, whereingenerating the sequence of offsets involves: computing a sequence ofbasis offsets from the key; computing a base offset from the key and thenonce; and computing the first offset in the sequence of offsets as afunction of the base offset, the key, and the nonce, and computing eachsubsequent offset in the sequence of offsets by combining the prioroffset with a basis offset.
 9. The method of claim 1, wherein generatingthe sequence of offsets involves: computing a key-variant by encipheringa constant with the block cipher, wherein the block cipher is keyed bythe given key; and computing the sequence of offsets as a function ofthe key variant and the nonce.
 10. The method of claim 1, whereincomputing the ciphertext body involves: combining each message block inthe message body with a corresponding offset to produce a correspondinginput block; applying the block cipher to each input block to produce acorresponding output block; combining each output block with acorresponding offset to produce a corresponding ciphertext block; andconcatenating the ciphertext blocks to determine the ciphertext body.11. The method of claim 1, wherein computing the ciphertext fragmentinvolves: computing a precursor pad as a function of an offset and thelength of the message; computing a pad by applying the block cipher tothe precursor pad; and computing the ciphertext fragment by combiningthe message fragment and the pad.
 12. The method of claim 1, whereincomputing the tag involves: computing a checksum as a function of themessage, the ciphertext fragment, and the sequence of offsets; andcomputing the tag as a function of the checksum, the key, and an offset.13. The method of claim 1, wherein computing the tag involves: computinga checksum from at least the message; combining the checksum with anoffset to produce a precursor full tag; computing a full tag by applyingthe block cipher to the precursor full tag; and computing a tag as aportion of the full tag.
 14. An authenticated-encryption method thatuses a key, a nonce, and an n-bit block cipher to decrypt a ciphertextinto a message or a message-invalid signal, the method comprising:partitioning the ciphertext into a ciphertext body comprising a sequenceof n-bit ciphertext blocks, a ciphertext fragment of at most n bits, anda tag; generating a sequence of offsets from the nonce and the key;computing a message body using the block cipher, the ciphertext body,the key, the nonce, and the sequence of offsets; computing a messagefragment using the block cipher, the ciphertext fragment, the key, andan offset; computing a new tag as a function of the message body, themessage fragment, the sequence of offsets, the block cipher, and thekey; and comparing the new tag with the tag; if the new tag matches thetag, returning the message, wherein the message includes the messagebody and the message fragment; and if the new tag does not match thetag, returning a message-invalid signal.
 15. The method of claim 14,wherein generating the sequence of offsets involves: generating asequence of fixed offsets from the key; generating a base offset fromthe key and the nonce; generating a sequence of translated offsets bycombining each fixed offset with the base offset to get a correspondingtranslated offset; and using the sequence of translated offsets as thesequence of offsets.
 16. The method of claim 14, wherein computing themessage body involves: combining each ciphertext block in the ciphertextbody with a corresponding offset to produce a corresponding outputblock; applying the block-cipher inverse to each output block to producea corresponding input block; combining each input block with acorresponding offset to produce a corresponding message block; anddefining the message body to be the sequence of message blocks.
 17. Themethod of claim 14, wherein computing the message fragment involves:computing a precursor pad as a function of an offset and the length ofthe ciphertext; computing a pad by applying the block cipher to theprecursor pad; and computing the message fragment by combining theciphertext fragment and the pad.
 18. The method of claim 14, whereincomputing the tag involves: computing a checksum as a function of atleast the message; and computing the tag as a function of the checksum,the key, and an offset.
 19. A computer-readable storage medium storinginstructions that when executed by a computer cause the computer toperform an authenticated-encryption method that uses a key and a nonceto encrypt a message into a ciphertext, the method comprising:partitioning the message into a message body including a sequence ofn-bit message blocks, and a message fragment of at most n bits;generating a sequence of offsets from the nonce and the key; computing aciphertext body using a block cipher, the message body, the key, thenonce, and the sequence of offsets; computing a ciphertext fragmentusing the block cipher, the message fragment, the key, and an offset;computing a tag as a function of the message body, the message fragment,the sequence of offsets, and the key; and defining the ciphertext toinclude the ciphertext body, the ciphertext fragment, and the tag. 20.The computer-readable storage medium of claim 19, wherein generating thesequence of offsets involves: determining a first offset as a functionof the nonce and the key; and determining each subsequent offset bycombining a previous offset and a basis offset, wherein each basisoffset is determined as a function of the key.
 21. The computer-readablestorage medium of claim 19, wherein generating the sequence of offsetsinvolves determining an offset by combining a base offset and a fixedoffset, wherein the base offset is a function to the key and the nonce,and the fixed offset is a function of the k ey and a position of thefixe d offset in a sequence of fixed offsets.
 22. The computer-readablestorage medium of claim 19, wherein generating the sequence of offsetsinvolves: generating a sequence of fixed offsets from the key;generating a base offset from the key and the nonce; generating asequence of translated offsets by combining each fixed offset with thebase offset to get a corresponding translated offset; and using thesequence of translated offsets as the sequence of offsets.
 23. Thecomputer-readable storage medium of claim 22, wherein the key determinesa sequence of basis offsets and each fixed offset is determined byxoring some combination of basis offsets.
 24. The computer-readablestorage medium of claim 23, wherein each basis offset except for thefirst basis offset is determined by a shift and a conditional xorapplied to a previous basis offset.
 25. The computer-readable storagemedium of claim 24, wherein the order that basis offsets are combinedinto fixed offsets is determined according to a Gray code.
 26. Thecomputer-readable storage medium of claim 19, wherein generating thesequence of offsets involves: computing a sequence of basis offsets fromthe key; computing a base offset from the key and the nonce; andcomputing a sequence of translated offsets, wherein the first offset isdetermined from the base offset, the key, and the nonce, and subsequentoffsets are determined by combining the prior translated offset with abasis offset.
 27. The computer-readable storage medium of claim 19,wherein generating the sequence of offsets involves: computing akey-variant offset by enciphering a constant with the block cipher,wherein the block cipher is keyed by a given key; and computing thesequence of offsets using the key-variant offset.
 28. Thecomputer-readable storage medium of claim 19, wherein computing theciphertext body involves: combining each message block in the messagebody with a corresponding offset to produce a corresponding input block;applying the block cipher to each input block to produce a correspondingoutput block; and combining each output block with a correspondingoffset to produce a corresponding ciphertext block.
 29. Thecomputer-readable storage medium of claim 19, wherein computing theciphertext fragment involves: computing a precursor pad as a function ofan offset; computing a pad by applying the block cipher to the precursorpad; and computing the ciphertext fragment by combining the messagefragment and the pad.
 30. The computer-readable storage medium of claim19, wherein computing the tag involves: computing a checksum as afunction of the message and a sequence of offsets; and computing the tagas a function of the checksum, the key, and an offset.
 31. Thecomputer-readable storage medium of claim 19, wherein computing the taginvolves: computing a checksum from the message blocks, the messagefragment, and a pad; combining the checksum with an offset to produce aprecursor full tag; computing a full tag by applying the block cipher tothe precursor full tag; and computing a tag as a portion of the fulltag.
 32. A computer-readable storage medium storing instructions thatwhen executed by a computer cause the computer to perform anauthenticated-encryption method that uses a key and a nonce to decrypt aciphertext into a message, the method comprising: partitioning theciphertext into a ciphertext body including a sequence of n-bitciphertext blocks, a ciphertext fragment of at most n bits, and a tag;generating a sequence of offsets from the nonce and the key; computing amessage body using a block cipher, the ciphertext body, the key, thenonce, and the sequence of offsets; computing a message fragment usingthe block cipher, the ciphertext fragment, the key, and an offset;computing a new tag as a function of the message body; and comparing thenew tag with the tag; if the new tag matches the tag, returning themessage, wherein the message includes the message body and the messagefragment; and otherwise, if the new tag does not match the tag,returning a message invalid signal.
 33. The computer-readable storagemedium of claim 32, wherein generating the sequence of offsets involves:generating a sequence of fixed offsets from the key; generating a baseoffset from the key and the nonce; generating a sequence of translatedoffsets by combining each fixed offset with the base offset to get acorresponding translated offset; and using the sequence of translatedoffsets as the sequence of offsets.
 34. The computer-readable storagemedium of claim 32, wherein computing the message body involves:combining each ciphertext block in the ciphertext body with acorresponding offset to produce a corresponding input block; applyingthe block cipher to each input block to produce a corresponding outputblock; and combining each output block with a corresponding offset toproduce a corresponding message block.
 35. The computer-readable storagemedium of claim 32, wherein computing the message fragment involves:computing a precursor pad as a function of an offset; computing a pad byapplying the block cipher to the precursor pad; and computing themessage fragment by combining the ciphertext fragment and the pad. 36.The computer-readable storage medium of claim 32, wherein computing thetag involves: computing a checksum as a function of the message body;and computing the tag as a function of the checksum, the key, and anoffset.
 37. An authenticated-encryption apparatus that uses a key and anonce to encrypt a message into a ciphertext, the apparatus comprising:a partitioning mechanism that is configured to partition the messageinto a message body including a sequence of n-bit message blocks, and amessage fragment of at most n bits; an offset generating mechanism thatis configured to generate a sequence of offsets from the nonce and thekey; an enciphering mechanism that is configured to compute a ciphertextbody using a block cipher, the message body, the key, the nonce, and thesequence of offsets; wherein the enciphering mechanism is additionallyconfigured to compute a ciphertext fragment using the block cipher, themessage fragment, the key, and an offset; a tag computing mechanism thatis configured to compute a tag as a function of the message body, themessage fragment, the sequence of offsets, and the key; and an assemblymechanism that is configured to define the ciphertext to include theciphertext body, the ciphertext fragment, and the tag.
 38. Anauthenticated-encryption apparatus that uses a key and a nonce todecrypt a ciphertext into a message, the apparatus comprising: apartitioning mechanism that is configured to partition the ciphertextinto a ciphertext body including a sequence of n-bit ciphertext blocks,a ciphertext fragment of at most n bits, and a tag; an offset generatingmechanism that is configured to generate a sequence of offsets from thenonce and the key; a deciphering mechanism that is configured to computea message body using a block cipher, the ciphertext body, the key, thenonce, and the sequence of offsets; wherein the deciphering mechanism isconfigured to compute a message fragment using the block cipher, theciphertext fragment, the key, and an offset; a tag computing mechanismthat is configured to compute a new tag as a function of the messagebody; and a comparison mechanism that is configured to compare the newtag with the tag; wherein if the new tag matches the tag, the apparatusis configured to return the message, wherein the message includes themessage body and the message fragment; and wherein if the new tag doesnot match the tag, the apparatus is configured to return a messageinvalid signal.
 39. An authenticated-encryption method that uses ann-bit block cipher, a key, and an n-bit nonce to encrypt a message intoa ciphertext, the method comprising: partitioning the message into mmessage blocks and one final fragment, each message block having n bitsand the final fragment having between 0 and n bits; using the blockcipher, the key, and the nonce to generate a sequence of m offsets, eachoffset having n bits; using the block cipher, the key, the nonce, andthe length of the message to generate an n-bit final offset; for eachnumber i between 1 and m, xoring the i^(th) message block with thei^(th) offset to determine an i^(th) input block; for each number ibetween 1 and m, applying the block cipher, keyed by the key, to thei^(th) input block, to determine an i^(th) output block; for each numberi between 1 and m, xoring the i^(th) output block with the i^(th) offsetto determine an i^(th) ciphertext block; concatenating the m ciphertextblocks to determine a ciphertext body; computing an encoded length byencoding the length of the final fragment as an n-bit string; xoring theencoded length with the final offset to determine a precursor pad;computing a pad by applying the block cipher, keyed by the key, to theprecursor pad; xoring the final fragment with a portion of the pad todetermine a ciphertext fragment having the same length as the finalfragment; computing a padded ciphertext fragment by appending to theciphertext fragment a sufficient number of zero bits so that the paddedciphertext fragment has n bits; computing a checksum by xoring togetherthe m message blocks, the pad, and the padded ciphertext fragment;computing a precursor full tag by xoring together the checksum and them^(th) offset; determining a full tag by applying the block cipher,keyed by the key, to the precursor full tag; computing a tag as aportion of the full tag; and defining the ciphertext to be theciphertext body, the ciphertext fragment, and the tag.
 40. The method ofclaim 39, wherein the i^(th) offset from the sequence of offsets isdetermined by: computing a 0^(th) basis offset by applying the blockcipher, keyed by the key, to a constant; for each positive number i,defining the i^(th) basis offset from the prior basis offset by shiftingthe prior basis offset left one position, and then xoring the resultingvalue with a constant that depends on the first bit of the prior basisoffset; computing a base offset by applying the block cipher, keyed bythe key, to the xor of the 0^(th) basis offset and the nonce; definingthe first offset in the sequence of offsets as the xor of the 0^(th)basis offset and the base offset; and for each integer i greater thanone, defining the i^(th) offset in the sequence of offsets as the xor ofthe prior offset and the j^(th) basis offset, where j is the number ofzero-bits following the last one-bit when the number i is written inbinary.
 41. The method of claim 39, wherein the final offset isdetermined by shifting the 0^(th) basis offset one position to theright, xoring a constant that depends on the last bit of the 0^(th)basis offset, and then xoring the m^(th) offset.
 42. Anauthenticated-encryption method that encrypts a message using a key, anda nonce, said method involving the computation of a sequence of offsets,wherein this sequence of offsets is determined by: computing a 0^(th)basis offset as a function of the key; for each positive number i,defining the i^(th) basis offset from the prior basis offset by shiftingthe prior basis offset by one position and then xoring a constant thatdepends on a given bit of the prior basis offset; computing a baseoffset as a function of at least the nonce; defining the 1^(st) offsetin the sequence of offsets as a function of a basis offset and the baseoffset; and for each integer i greater than one, defining the i^(th)offset in the sequence of offsets as the xor of the prior offset and abasis offset associated to the number i.
 43. The method of claim 42wherein the basis offset associated to the number i is the j^(th) basisoffset, where j is the number of zero-bits following the last one-bitwhen the number i is written in binary.
 44. An authenticated-encryptionmethod that encrypts a message into a ciphertext using a key and anonce, comprising: computing a sequence of basis offsets from the key;computing a base offset from the key and the nonce; computing a sequenceof offsets, where the first offset is determined from the base offset,the key, and the nonce, and each subsequent offset is determined bycombining the prior offset and a basis offset; and computing theciphertext from at least the message, the key, and the sequence ofoffsets.
 45. An authenticated-encryption method that encrypts a messageusing an n-bit block cipher, a key and a nonce, said method involvingthe computation of a sequence of n-bit offsets, where computing thesequence of offsets involves: fixing a positive n-bit constant, where2^(n) minus this constant is prime; computing an n-bit stride using thekey and possibly the nonce; computing a first offset using the key andthe nonce; and computing each subsequent offset by n-bit computeraddition of the prior offset and the stride, and further followed bycomputer addition of the said constant whenever the first additionresulted in a carry.
 46. The method of claim 45, wherein the specifiedconstant is the smallest number such that 2^(n) minus this number isprime.
 47. An authenticated-encryption method that encrypts a messageusing a nonce and a block cipher keyed by a given key, comprising:computing a key-variant by enciphering a constant with the keyed blockcipher; computing a sequence of offsets using the key variant and thenonce; and computing the ciphertext using at least the keyed blockcipher, the message, and the sequence of offsets.
 48. Anauthenticated-encryption method that encrypts a message using a nonceand a block cipher keyed by a given key, comprising: computing akey-variant by enciphering a constant with the keyed block cipher;computing a sequence of basis offsets as a function of the key-variant;computing a base offset using at least the nonce; computing a 1^(st)offset from a basis offset and the base offset; for each number igreater than 1, computing the i^(th) offset in the sequence of offsetsby combining the prior offset and a basis offset; and computing theciphertext using at least the keyed block cipher, the message, and thesequence of offsets.
 49. The method of claim 48, wherein each basisoffset except for the first basis offset is determined by shifting theprior basis offset by one position and then xoring a constant thatdepends on a given bit of the prior basis offset.
 50. Acomputer-readable storage medium storing instructions that when executedby a computer cause the computer to perform an authenticated-encryptionmethod that uses an n-bit block cipher, a key, and an n-bit nonce toencrypt a message into a ciphertext, the method comprising: partitioningthe message into m message blocks and one final fragment, each messageblock having n bits and the final fragment having between 0 and n bits;using the block cipher, the key, and the nonce to generate a sequence ofm offsets, each offset having n bits; using the block cipher, the key,the nonce, and the length of the message to generate an n-bit finaloffset; for each number i between 1 and m, xoring the i^(th) messageblock with the i^(th) offset to determine an i^(th) input block; foreach number i between 1 and m, applying the block cipher, keyed by thekey, to the i^(th) input block, to determine an i^(th) output block; foreach number i between 1 and m, xoring the j^(th) output block with thei^(th) offset to determine an i^(th) ciphertext block; concatenating them ciphertext blocks to determine a ciphertext body; computing an encodedlength by encoding the length of the final fragment as an n-bit string;xoring the encoded length with the final offset to determine a precursorpad; computing a pad by applying the block cipher, keyed by the key, tothe precursor pad; xoring the final fragment with a portion of the padto determine a ciphertext fragment having the same length as the finalfragment; computing a padded ciphertext fragment by appending to theciphertext fragment a sufficient number of zero bits so that the paddedciphertext fragment has n bits; computing a checksum by xoring togetherthe m message blocks, the pad, and the padded ciphertext fragment;computing a precursor full tag by xoring together the checksum and them^(th) offset; determining a full tag by applying the block cipher,keyed by the key, to the precursor full tag; computing a tag as aportion of the full tag; and defining the ciphertext to be theciphertext body, the ciphertext fragment, and the tag.
 51. Thecomputer-readable storage medium of claim 50, wherein the i^(th) offsetfrom the sequence of offsets is determined by: computing a 0^(th) basisoffset by applying the block cipher, keyed by the key, to a constant;for each positive number i, defining the i^(th) basis offset from theprior basis offset by shifting the prior basis offset left one position,and then xoring the resulting value with a constant that depends on thefirst bit of the prior basis offset; computing a base offset by applyingthe block cipher, keyed by the key, to the xor of the 0^(th) basisoffset and the nonce; defining the first offset in the sequence ofoffsets as the xor of the 0^(th) basis offset and the base offset; andfor each integer i greater than one, defining the i^(th) offset in thesequence of offsets as the xor of the prior offset and the j^(th) basisoffset, where j is the number of zero-bits following the last one-bitwhen the number i is written in binary.
 52. The computer-readablestorage medium of claim 50, wherein the final offset is determined byshifting the 0^(th) basis offset one position to the right, xoring aconstant that depends on the last bit of the 0^(th) basis offset, andthen xoring the m^(th) offset.
 53. A computer-readable storage mediumstoring instructions that when executed by a computer cause the computerto perform an authenticated-encryption method that encrypts a messageusing a key, and a nonce, said method involving the computation of asequence of offsets, wherein this sequence of offsets is determined by:computing a 0^(th) basis offset as a function of the key; for eachpositive number i, defining the i^(th) basis offset from the prior basisoffset by shifting the prior basis offset by one position and thenxoring a constant that depends on a given bit of the prior basis offset;computing a base offset as a function of at least the nonce; definingthe 1^(st) offset in the sequence of offsets as a function of a basisoffset and the base offset; and for each integer i greater than one,defining the i^(th) offset in the sequence of offsets as the xor of theprior offset and a basis offset associated to the number i.
 54. Thecomputer-readable storage medium of claim 53, wherein the basis offsetassociated to the number i is the j^(th) basis offset, where j is thenumber of zero-bits following the last one-bit when the number i iswritten in binary.
 55. A computer-readable storage medium storinginstructions that when executed by a computer cause the computer toperform an authenticated-encryption method that encrypts a message intoa ciphertext using a key and a nonce, the method comprising: computing asequence of basis offsets from the key; computing a base offset from thekey and the nonce; computing a sequence of offsets, where the firstoffset is determined from the base offset, the key, and the nonce, andeach subsequent offset is determined by combining the prior offset and abasis offset; and computing the ciphertext from at least the message,the key, and the sequence of offsets.
 56. A computer-readable storagemedium storing instructions that when executed by a computer cause thecomputer to perform an authenticated-encryption method that encrypts amessage using an n-bit block cipher, a key and a nonce, said methodinvolving the computation of a sequence of n-bit offsets, wherecomputing the sequence of offsets involves: fixing a positive n-bitconstant such that 2^(n) minus this constant is prime; computing ann-bit stride using the key and possibly the nonce; computing a firstoffset using the key and the nonce; and computing each subsequent offsetby n-bit computer addition of the prior offset and the stride, andfurther followed by computer addition of the said constant whenever thefirst addition resulted in a carry.
 57. The computer-readable storagemedium of claim 56, wherein the specified constant is the smallestnumber such that 2^(n) minus this number is prime.
 58. Acomputer-readable storage medium storing instructions that when executedby a computer cause the computer to perform an authenticated-encryptionmethod that encrypts a message using a nonce and a block cipher keyed bya given key, the method comprising: computing a key-variant byenciphering a constant with the keyed block cipher; computing a sequenceof offsets using the key variant and the nonce; and computing theciphertext using at least the keyed block cipher, the message, and thesequence of offsets.
 59. A computer-readable storage medium storinginstructions that when executed by a computer cause the computer toperform an authenticated-encryption method that encrypts a message usinga nonce and a block cipher keyed by a given key, the method comprising:computing a key-variant by enciphering a constant with the keyed blockcipher; computing a sequence of basis offsets as a function of thekey-variant; computing a base offset using at least the nonce; computinga 1^(st) offset from a basis offset and the base offset; for each numberi greater than 1, computing the i^(th) offset in the sequence of offsetsby combining the prior offset and a basis offset; and computing theciphertext using at least the keyed block cipher, the message, and thesequence of offsets.
 60. The computer-readable storage medium of claim59, wherein each basis offset except for the first basis offset isdetermined by shifting the prior basis offset by one position and thenxoring a constant that depends on a given bit of the prior basis offset.61. An authenticated-encryption apparatus that is configured to use ann-bit block cipher, a key, and an n-bit nonce to encrypt a message intoa ciphertext, comprising: a partitioning mechanism that is configured topartition the message into m message blocks and one final fragment, eachmessage block having n bits and the final fragment having between 0 andn bits; an offset-generating mechanism that is configured to, use theblock cipher, the key, and the nonce to generate a sequence of moffsets, each offset having n bits, and to use the block cipher, thekey, the nonce, and the length of the message to generate an n-bit finaloffset; an xoring mechanism, wherein for each number i between 1 and m,the xoring mechanism is configured to xor the i^(th) message block withthe i^(th) offset to determine an i^(th) input block; an encipheringmechanism, wherein for each number i between 1 and m, the encipheringmechanism is configured to apply the block cipher, keyed by the key, tothe i^(th) input block, to determine an i^(th) output block; wherein foreach number i between 1 and m, the xoring mechanism is configured to xorthe i^(th) output block with the i^(th) offset to determine an i^(th)ciphertext block; a concatenating mechanism that is configured toconcatenate the m ciphertext blocks to determine a ciphertext body; acomputing mechanism that is configured to compute an encoded length byencoding the length of the final fragment as an n-bit string; whereinthe xoring mechanism is configured to xor the encoded length with thefinal offset to determine a precursor pad; wherein the computingmechanism is configured to compute a pad by applying the block cipher,keyed by the key, to the precursor pad; wherein the xoring mechanism isconfigured to xor the final fragment with a portion of the pad todetermine a ciphertext fragment having the same length as the finalfragment; wherein the computing mechanism is configured to compute apadded ciphertext fragment by appending to the ciphertext fragment asufficient number of zero bits so that the padded ciphertext fragmenthas n bits; wherein the computing mechanism is configured to compute achecksum by xoring together the m message blocks, the pad, and thepadded ciphertext fragment; wherein the computing mechanism isconfigured to compute a precursor full tag by xoring together thechecksum and the m^(th) offset; wherein the computing mechanism isconfigured to determine a full tag by applying the block cipher, keyedby the key, to the precursor full tag; wherein the computing mechanismis configured to compute a tag as a portion of the full tag; and adefining mechanism that is configured to define the ciphertext to be theciphertext body, the ciphertext fragment, and the tag.
 62. Anauthenticated-encryption apparatus that encrypts a message using a key,and a nonce, said method involving the computation of a sequence ofoffsets, comprising: an offset computing mechanism that is configured tocompute a 0^(th) basis offset as a function of the key; wherein for eachpositive number i, the offset computing mechanism is configured todefine the i^(th) basis offset from the prior basis offset by shiftingthe prior basis offset by one position and then xoring a constant thatdepends on a given bit of the prior basis offset; wherein the offsetcomputing mechanism is configured to compute a base offset as a functionof at least the nonce; wherein the offset computing mechanism isconfigured to define the 1^(st) offset in the sequence of offsets as afunction of a basis offset and the base offset; and wherein for eachinteger i greater than one, the offset computing mechanism is configuredto define the i^(th) offset in the sequence of offsets as the xor of theprior offset and a basis offset associated to the number i.
 63. Anauthenticated-encryption apparatus that encrypts a message into aciphertext using a key and a nonce, comprising a computing mechanismthat is configured to: compute a sequence of basis offsets from the key;compute a base offset from the key and the nonce; compute a sequence ofoffsets, where the first offset is determined from the base offset, thekey, and the nonce, and each subsequent offset is determined bycombining the prior offset and a basis offset; and to compute theciphertext from at least the message, the key, and the sequence ofoffsets.
 64. An authenticated-encryption apparatus that encrypts amessage using an n-bit block cipher, a key and a nonce, comprising: anoffset computing mechanism that is configured to compute a sequence ofn-bit offsets, by fixing a positive n-bit constant, where 2^(n) minusthis constant is prime; computing an n-bit stride using the key andpossibly the nonce; computing a first offset using the key and thenonce; and computing each subsequent offset by n-bit computer additionof the prior offset and the stride, and further followed by computeraddition of the said constant whenever the first addition resulted in acarry.
 65. An authenticated-encryption apparatus that encrypts a messageusing a nonce and a block cipher keyed by a given key, comprising acomputing mechanism that is configured to: compute a key-variant byenciphering a constant with the keyed block cipher; compute a sequenceof offsets using the key variant and the nonce; and to compute theciphertext using at least the keyed block cipher, the message, and thesequence of offsets.
 66. An authenticated-encryption apparatus thatencrypts a message using a nonce and a block cipher keyed by a givenkey, comprising a computing mechanism that is configured to: compute akey-variant by enciphering a constant with the keyed block cipher;compute a sequence of basis offsets as a function of the key-variant;compute a base offset using at least the nonce; compute a 1^(st) offsetfrom a basis offset and the base offset; for each number i greater than1, to compute the i^(th) offset in the sequence of offsets by combiningthe prior offset and a basis offset; and to compute the ciphertext usingat least the keyed block cipher, the message, and the sequence ofoffsets.